b'Office of\nINSPECTOR GENERAL\n\n  Audit Report\n\n\n\n\n Audit of the USITC Local Area Network\n Operations\n\n\n\n\n Report No. IG-01-96\n\n\n\n\n                                         March 1996\n                                           Date Issued\n\x0c         INSPECTOR GENERAL\n\n\n\n\n          UNITED STATES INTERNATIONAL TRADE COMMISSION\n\n                                    WASHINGTON, D.C. 20436\nMarch 15, 1995\n\n                                 REVIEW OF USITC LOCAL\n                               AREA NETWORK OPERATIONS\n\n\nSince 1988, the Commission has invested a substantial amount of resources into\nautomating agency functions and implementing a Local Area Network (LAN) using Banyan\nVines that reaches virtually every employee. An audit report issued in September 1992\nmade numerous recommendations for improving security and procedures. The objectives of\nthis review were to: update the 1992 evaluation of the Commission\'s administration and\ncontrol of the LAN; assess the adequacy of LAN security; and evaluate the appropriateness\nof Commission policies on use of the LAN.\n\nThis review was conducted by Cotton & Company in accordance with the Government\nAuditing Standards issued by the Comptroller General of the United States. The auditors\nfound that the procedures were sufficient, in all material aspects, to provide for effective\nLAN administration and control, but identified several areas in which controls should be\nstrengthened to remove potential security weaknesses.\n\nThe auditors found:\n\n              Security control weaknesses exist regarding use of modems;\n\n              Unauthorized and fictitious users are not deleted from the network on a timely\n              basis;\n\n              Procedures for investigating security violations should be strengthened;\n\n              A security plan should be developed and security controls tested;\n\n              Unauthorized persons have access to backup tapes;\n\n              .Procedures for assuring compliance with software licensing requirements are\n               inadequate;\n\n              Procedures for transporting backup tapes are not documented;\n\n              The disaster recovery plan is not tested;\n\x0c              The titles and roles of network administrators should be clarified; and\n\n              Policies regarding non-essential software and unofficial computer use should\n              be established.\n\nRecommendations addressing these findings are presented after each section in the report.\n\nThe Director of the Office of Information Services concurred with the findings and\nrecommendations. A summary of the Director\'s comments is presented after each finding\non pages 6 through 14. The Director\'s comments are presented in their entirety as an\nappendix to the report.\n\n\n\n\n                                            ane E. Altenhofen\n                                           Inspector General\n\x0c                                      REPORT ON REVIEW OF\n                                         UNITED STATES\n                               INTERNATIONAL TRADE COMMISSION\n                                     LOCAL AREA NETWORK\n                                          OPERATIONS\n\n\n                                         OCTOBER 1995\n\n\n\n\nPrepared by:.\n\nCotton & Company\nCertified Public Accountants\nAlexandria, Virginia\n\x0c                                          CONTENTS\n\n\nObjectives                                                                                      2\n\nScope                                                                                           3\n\nMethodology                                                                                     3\n\nManagement Controls                                                                             4\n\nFindings and Recommendations                                                                    4\n        1.     Security Control Weaknesses Exist Regarding Use of Modems                        5\n        2.     Unauthorized and Fictitious Users Are Not Deleted from the\n                Network on a Timely Basis                                                       6\n        3.     Procedures for Investigating Security Violations Should Be Strengthened          7\n        4.     Security Plan Should Be Developed and Security Controls Tested         -         8\n        5.     Unauthorized Persons Have Access to Backup Tapes                                 9\n        6.    Procedures for Assuring Compliance with Software Licensing Requirements\n                Are Inadequate                                                                 10\n        7.    Procedures for Transporting Backup Tapes Are Not Documented                      11\n        8.    Disaster Recovery Plan Is Not.Tested                                             12\n        9.    Titles and Roles of Network Administrators Should Be Clarified                   13\n       10.    Policies Regarding Non-essential Software and Unofficial Computer Use\n                Should Be Established                                                          14\n\nCommission Response                                                                       Appendix\n\x0c                           REPORT ON REVIEW OF UNITED STATES\n                            INTERNATIONAL TRADE COMMISSION\n                            LOCAL AREA NETWORK OPERATIONS\n\n\n        The United States International Trade Commission (ITC) is an independent Federal agency\nwith broad investigative powers on matters of trade. In its adjudicative role, ITC determines injury\nand threat of injury by imports to United States industry.\n\n        ITC has determined that it is more cost effective to use cross-servicing and timesharing\nagreements rather than to maintain internal mini- or mainframe computer capability. Thus, it obtains\ngeneral data processing facilities from the National Institutes of Health, financial system support from\nthe Department of Interior, payroll services from the General Services Administration, and personnel\nmanagement support from the Department of Energy.\n\n        Since 1988, however, ITC has invested substantial resources to automate agency functions and\nimplement a local area network (LAN). A LAN is a geographically confined computer-based\ncommunications system capable of transmitting information or data among stations. lTC\'s LAN\nsystem is Banyan Vines.\n\n        As of September 1995, lTC\'s LAN consisted of 11 file servers running Banyan Vines 5.5,\nseveral special application servers, such as a fax server, and approximately 470 personal computers as\nworkstations.\n\n        The LAN supports a variety of office automation functions, including word processing,\nelectronic mail, spreadsheets, and end-user database applications. Software includes Windows,\nWordperfect, Lotus 1-2-3, dBase, Harvard Graphics,Timetalk, Electronic Mail (e-mail), and\nTackboard. The system contains unclassified as well as sensitive information, such as confidential\nbusiness information. Users are provided network and computer security training.\n\n        As set forth in USITC Directive 1031, dated February 6, 1994, the Office Automation\nSupport Division (currently the Information Services Division), within the Office of Information\nServices (OIS), is responsible for:\n\n        \xe2\x80\xa2      Central network administration including all LAN connectivity and\n               communication interfaces with computer service bureaus and main-\n               frames, network hardware, software, maintenance, cabling, and user\n               support.\n\n        \xe2\x80\xa2      Office automation technical support including installing, maintaining,\n               and supporting end-user equipment and software and providing end\n               users with supplies and services as needed.\n\n       \xe2\x80\xa2       Implementation of Federal government policies, principles, guidelines,\n               and standards for LAN operations.\n\n       \xe2\x80\xa2       LAN security.\n\n\n                                                   1\n\x0c        ITC has two primary objectives regarding LAN security. Although it is lTC\'s policy not to\nstore confidential business information on the LAN, many users process confidential business\ninformation on the LAN and remove it once a task is complete. Therefore, confidential business\ninformation, while being processed on the LAN or stored on backup tapes, must be protected against\nsecurity breaches. lTC\'s second objective is to protect data from being lost or altered, thus resulting\nin economic loss caused by the need to recreate and reprocess data.\n\nOBJECTIVES\n\n        We reviewed lTC\'s policies and procedures for managing its LAN. Our overall objectives\nwere to update the 1992 evaluation of lTC\'s administration and control of the LAN, assess the\nadequacy of LAN security, and evaluate the appropriateness of policies on LAN use. Specific\nobjectives were to:\n\n        \xe2\x80\xa2      Determine if recommendations made in the 1992 Audit Report IG-04-\n               92 and suggested .actions agreed upon by management and the Office\n               of Inspector General (OIG) have been implemented and effectively\n               address the findings.\n\n       \xe2\x80\xa2       Determine if LAN security has been compromised, and evaluate\n               computer system controls.\n\n       \xe2\x80\xa2       Determine the existence of unauthorized or unlicensed software on\n               personal computers (pes) and, if found, determine how programs\n               were installed.\n\n       \xe2\x80\xa2       Evaluate the appropriateness of allowing games, which may be part of\n               authorized or licensed software, to be on ITC equipment.\n\n       \xe2\x80\xa2       Identify the number of system administrators and the extent of their\n               access to the LAN. Determine how they are selected and trained.\n               Determine if their access to the LAN presents an excessive risk and\n               what controls are in place to reduce that risk.\n\n       \xe2\x80\xa2       Identify officials with responsibility for and access to off-site backup\n               data and disaster recovery. Evaluate the\' backup and recovery system\n               and procedures and disaster recovery plan for compliance with laws\n               and regulations and efficiency.\n\n       \xe2\x80\xa2       Determine which employees can access LAN files (including deleted\n               e-mail messages) other than their own and if a trail is left.\n\n       \xe2\x80\xa2       Evaluate controls established to prevent virus infections and determine\n               compliance.\n\n       \xe2\x80\xa2       Review ITC policy and procedures for using ITC computer equipment\n               for non-official use and evaluate for reasonableness, enforceability,\n               and compliance with laws and regulations.\n\n                                                  2\n\x0c SCOPE\n\n       We conducted our review of lTC\'s policies and procedures for managing its LAN during\nAugust and September 1995 at ITC headquarters in Washington, DC. The review was conducted in\naccordance with generally accepted Government auditing standards.\n\nMEmOOOWGY\n\n           In the context of the above objectives, we:\n\n           \xe2\x80\xa2       Interviewed selected ITC officials and reviewed documents to evaluate\n                   ITC policies and procedures applicable to LAN administration, con-\n                   trol, and security.\n\n           \xe2\x80\xa2       Evaluated existing system controls, tested a sample of PCs to deter-\n                   mine the existence of unauthorized or unlicensed software, and looked\n                   for evidence of LAN security compromises or violations.\n\n           \xe2\x80\xa2       Identified LAN network and group administrators, the extent of their\n                   access to the LAN, and procedures to prevent security risks.\n\n           \xe2\x80\xa2      Examined procedures for backing up the LAN and storing and access-\n                  ing the backup devices, and interviewed the contractor that stores\n                  backup tapes.\n\n           \xe2\x80\xa2      Inquired about lTC\'s disaster recovery plan and security plan.\n\n           \xe2\x80\xa2      Tested e-mail access to determine if users can access another user\'s e-\n                  mail files and determined if e-mail can be retrieved from backup\n                  devices by unauthorized staff.\n\n           \xe2\x80\xa2      Tested and evaluated controls to detect or prevent virus infections on\n                  ITC equipment.\n\n           \xe2\x80\xa2      Evaluated the reasonableness and enforceability of ITC policies re-\n                  garding non-official use of ITC equipment.\n\n           \xe2\x80\xa2      Determined if actions taken to correct previous audit findings had been\n                  effectively implemented.\n\n           We used the following guidelines and operating regulations to evaluate lTC\'s LAN adminis-\ntration:\n\n           \xe2\x80\xa2      Federal Information Processing Standards Publication (pIPS PUB) No. 112,\n                  Password Usage, dated May 30, 1985.\n\n           \xe2\x80\xa2      Office of Management and Budget (OMB) Circular A-130, Management of\n                  Federal Information Resources, effective June 25, 1993.\n\n                                                     3\n\x0c        \xe2\x80\xa2       Proposed Revision to OMB Circular A-130, Appendix III, Security of Federal\n                Automated Systems (Federal Register, Volume 60, No. 63, dated April 3,\n                1995).\n\n        \xe2\x80\xa2       OMB Bulletin No. 90-08, Guidance for Preparation of Security Plans for\n                Federal Computer Systems that Contain Sensitive Information, dated July 9,\n                1990.\n\n        \xe2\x80\xa2       Computer Security Act of 1987, Public Law 100-235 [HR 145], dated January\n                8, 1988.\n\n        \xe2\x80\xa2       United States General Accounting Office (GAO), Standards/or Internal\n                Controls in the Federal Government, 1983.\n\n        \xe2\x80\xa2       ITC Guidelines:\n\n                \xe2\x80\xa2      Directive 1031, OIS, Office Automation Support Division, Mission and\n                       Functions Statement, dated February 6, 1994.\n\n                \xe2\x80\xa2      Directive 1360.1, Automated Data Security Procedures, dated July 21, 1993.\n\n                \xe2\x80\xa2      Directive 1355, Handling and Safeguarding Confidential Business Information,\n                       dated July 1, 1985.\n\n                \xe2\x80\xa2      Directive 7102.1, Guidelines for using the USITC Local Area Network for\n                       Electronic Mail and Bulletin Board Purposes, dated January 8, 1990.\n\n                \xe2\x80\xa2      Directive 3050, Emergency Recovery Contingency Plan, dated March 8,\n                       1993.\n\n               \xe2\x80\xa2       Administrative Order 93-01, Adherence to Computer Software Licensing\n                       Agreement and Copyright Restrictions, dated October 8, 1992.\n\n               \xe2\x80\xa2       Banyan Network User\'s Manual, dated August 1993.\n\n               \xe2\x80\xa2       OIS\' Senior Network Administration Procedures, undated.\n\nMANAGEMENT CONTROlS\n\n         In planning and performing our review of lTC\'s LAN, we assessed lTC\'s management\ncontrol structure to the extent deemed necessary to plan and conduct the review and form conclusions\nrelated to the review objectives and not to provide assurance on the management control structure.\n\nFINDINGS AND RECOMMENDATIONS\n\n       The findings and our recommendations are discussed below.\n\n\n\n                                                 4\n\x0c1.     Security Control Weaknesses Exist Regarding Use of Modems\n\n       We noted several areas in which controls over the use of modems should be strengthened to\nremove potential security weaknesses.\n\n          \xe2\x80\xa2     We noted that some network users have stand-alone modems (external and\n                internal) at their workstations. ITC indicated that some modems were provid-\n                ed to dial out to host computers, in part because the modem pool was\n                insufficient to meet peak workloads. ITC does not have an inventory of\n                workstations with stand-alone modems and does not have procedures for\n                controlling and monitoring their usage.\n\n                ITC Directive 1360.1, Chapter I, Procedures for Remote Dial-Up Access, states that\n                users connecting to the LAN remotely must use the central dial-up facility and may\n                not dial the personal computer in their office.\n\n                However, OIS is aware of instances in which users did not logout or turn off their\n                computers after business hours. It is possible that users could remain logged into the\n                LAN and simultaneously leave communications software running in the "answer"\n                configuration thus enhancing the risk of unauthorized access to the LAN.\n\n       \xe2\x80\xa2       ITC has one modem in the modem pool that is set to accept incoming calls\n               without confirming the user\'s authenticity through the dial-back feature. This\n               modem was established to permit users on travel status to access e-mail only.\n               In order to access this modem, the user must be running.Banyan Vines\n               software on the remote PC and have an account with a valid name and\n               password combination. While these controls will help prevent security\n               violations, we noted that ITC does not currently log users of this modem or\n               maintain active and up-to-date lists of authorized users. Without user logs and\n               regular monitoring of activity, ITC cannot detect and investigate potential or\n               actual access by unauthorized users.\n\n               OMB Circular A-130, Section 8.a(I)(g), Policy - Information Management Planning,\n               states that agencies shall protect government information commensurate with the risk\n               and magnitude of harm that could result from the loss, misuse or unauthorized access\n               to or modification of such information.\n\n      \xe2\x80\xa2         In response to a prior audit report recommendation, ITC established a dial-in\n                modem pool with a dial-back control feature and implemented controls to\n                monitor access authorization and actual activity. We noted, however, that\n                OIS does not periodically prepare and distribute to office directors and\n                supervisors reports identifying authorized users and actual activity. Because\n                the dial-in facility is intended only for those having a specific need to access\n                the network from an authorized remote location, periodic review by office\n              . directors and supervisors will help assure that access is limited to persons\n                needing access and that abuse does not take place.\n\n\n\n\n                                                   5\n\x0c                 The GAO Standards for Internal Controls in the Federal Government, Specific\n                 Standard No.5, Supervision, states that qualified and continuous supervision is to be\n                 provided to ensure that internal control objectives are achieved.\n\n         Recommendations. We recommend that the Director of OIS:\n\na.      Determine the number and location of stand-alone modems not included in the modem pool\n        and their usage rate; retrieve all external and internal modems; and determine if the modem\n        pool should be increased to meet peak workloads. If OIS maintains that stand-alone modems\n        are justified, establish special controls, such as a dial-back feature or limited hours of access.\n\nb.      Prepare and update a report that identifies who has access to the modem without the dial-back\n        feature and when authorization was granted and deleted.\n\nc.      Establish procedures to identify and monitor the activity of the modem without the dial-back\n        control feature that will enable OIS to detect and investigate unauthorized access.\n\nd.      Circulate reports identifying authorized users of the modem pool and activity reports showing\n        usage of the modems to office directors and supervisors on a periodic basis to assure that\n        users are granted access only when necessary and that users are not abusing their access\n        rights.\n\n         Commission Response. OIS stated that the security threat resulting from unauthorized modem\nuse is minimal and the costand inconvenience of implementing additional reports and restrictions are\nnot justified. It did agree, however, to implement closer monitoring of failed login attempts via the\nnon-dial-back modem since doing so will not involve extensive administrator time.\n\n       The General Counsel stated that the recommendation regarding limited hours of access to the\nLAN would interfere significantly with legitimate agency business because employees work late hours\nand on weekends.\n\n        Auditors\'Additional Comments. We agree that the proposed action will help identify\npossible or actual instances of unauthorized LAN access. If incidents are identified, we think that\nOIS should implement our other recommendations.\n\n2.      Unauthorized and Fictitious Users Are Not Deleted from the Network on a Timely Basis\n\n         ITC does not have procedures in place to assure that user identifications (IDs) are deleted on a\ntimely basis when employees are terminated or transferred within ITC. We noted that terminated and\ntransferred employees, including network administrators, remained on the LAN user access list after\ntermination or transfer dates. OIS indicated that if an employee\'s user ID was not deleted, in which\ncase the employee remains on the access list, the employee will not have access to the LAN if his or\nher password was changed, or disabled. OIS cannot, however, produce a report that shows if or\nwhen passwords are changed, or disabled.\n\n        Based on discussions with various ITC representatives, and review of Directive 1360.1,\nsystem administrators or coordinators (Group Administrators) are responsible for deleting user IDs or\nrequesting OIS to delete them when employees leave ITC or are transferred within ITC. OIS does\n\n                                                    6\n\x0c not have procedures to assure that this is being done in a timely manner. Accordingly, access to the\n LAN may be granted to unauthorized personnel. OIS is responsible for LAN security and thus\n should assure that unauthorized users and user accounts are deleted from the system in a timely\n manner.\n\n         We also noted several fictitious user IDs on the LAN. ITC does not have a policy or\n guidelines for creating, using, and deleting fictitious user IDs. Accordingly, a fictitious user 10 may\n be created inappropriately or remain longer than necessary or after the person who created it leaves\n lTC, thus increasing the risk of unauthorized LAN access.\n\n         ITC Directive 1360.1, Section 4, Responsibilities, states that the Director of OIS is responsi-\n ble for administering the assignment and maintenance of user IDs and passwords for the LAN access\n including clearance of all departing ITC staff who have been assigned passwords.\n\n        Recommendations. We recommend that the Director of DIS:\n\na.      Establish procedures to assure that Group Administrators have deleted user IDs-for all\n        terminated and transferred employees on or before the individual\'s last workday or date of\n        transfer.\n\nb.      Establish and document policies and procedures to minimize the creation and use of fictitious\n        user IDs and to assure that they are deleted as soon as they are no longer needed or before an\n        employee using the fictitious ID leaves ITC.\n\n         Commission Response. GIS stated that OIS has a procedure in place to verify that departing\nemployees are deleted from the network, although it involves a delay of up to one month from the\ndate the employee departs. GIS believes, however, that the security threat from departing employees\nis small, and stated that it has not become aware of any actual or suspected threat of compromise or\ndestruction of data by departing employees.\n\n        GIS stated that it will, however, implement an annual review of fictitious accounts to establish\nthe continuing need for each or to delete them.\n\n        Auditors\' Additional Comments. GIS procedures for verifying that departing employees are\ndeleted from the LAN appear adequate if Group Administrators are, in fact, deleting departing\nemployee IDs on or near their departure date. If DIS determines that Group Administrators are not\ndeleting departing employee IDs in a timely manner, DIS should either review and strengthen the\nGroup Administrator procedures or revise its procedures for assuring that IDs are deleted as soon as\nemployees depart the Agency.\n\n3.      Procedures for Investigating Security Violations Should Be Strengthened\n\n        GIS should strengthen current procedures for reviewing possible or actual security violations.\nAn OIS representative stated that ITC does not regularly log all network activities, but rather has set\nthe system log to record only login and logout activities to minimize the use of network resources.\nSuch logs are only casually examined for potential security threats.\n\n\n\n                                                   7\n\x0c         OIS represented that it reviews the system log on the server for failed login attempts and\ndiscusses them with the user. OIS does not, however, produce an exception report of failed login\nattempts or document the results of its review of the system log.\n\n        If a large number of bonafide login failures exists, and an exception report is not produced, a\ntrue security violation may go undetected. In addition, if exception reports are produced, OIS will be\nable to analyze login failures for patterns and thus minimize the number of failures or more easily\ndetect security violations.\n\n        OIS\' Senior Network Administration Procedures, Section I.A, System Performance/Security\nLogs, states that the senior network administrator must maintain a weekly "Network Log" which\nincludes the token ring address of any individual who attempts to log into the network unsuccessfully\nmore than three times. Currently, OIS is not including this on its weekly Network Log.\n\n        Recommendations. We recommend that the Director of OIS:\n\na.      Obtain software to produce an exception report from the system logs identifying actual or\n        possible security violations.\n\nb.      Establish procedures to investigate and resolve all possible security violations and document\n        such resolution on the exception log for review by the appointed LAN security officer.\n\n        Commission Response. OIS stated that the additional time and cost needed to investigate and\nresolve all possible security violations would greatly outweigh the small amount of additional security\nprovided by implementing the audit recommendations. OIS will, however, re-establish the procedure\nof recording the network hardware ("token ring") location of unsuccessfullogins on the weekly\nNetwork Log.\n\n       Auditors\' Additional Comments. If OIS does not produce an exception report, OIS should, at\na minimum:\n\n        \xe2\x80\xa2      Continue to review the system log for failed logins.\n       .\xe2\x80\xa2      Discuss all failed login attempts with the LAN users.\n        \xe2\x80\xa2      Include the token ring address for failed logins on its weekly Network Log.\n\n4.     Security Plan Should Be Developed and Security Controls Tested\n\n        OIS representatives indicated that ITC does not have a documented security plan. We noted\nseveral practices established by OIS that increase the risk of security violations.\n\n       \xe2\x80\xa2       LAN users have 24-hour 7-day-per-week access to the LAN. OIS indicated\n               that it has observed that users sometimes leave their computers logged or\n               powered on during evenings or weekends. If users had limited access to the\n               LAN, OIS could set the system to automatically logoff users that did not\n               logoff before leaving work.\n\n\n\n\n                                                  8\n\x0c         \xe2\x80\xa2      LAN users can logon to more than one workstation simultaneously. If a user\n                logs on to a workstation other than his or her own and does not subsequently\n                log off, another employee could access the files of the first user without\n                proper authorization.\n\n         \xe2\x80\xa2      One network administrator account is shared by five network administrators\n                using the same password. OIS indicated that this account is used to perform\n                backup functions, which are accomplished by any of the network administra-\n                tors and generally require more than one administrator to complete. In the\n                event that a backup is made for an unauthorized purpose, by a user of the\n                shared account, OIS may not be able to detect who conducted the unautho-\n                rized activity.\n\n         OIS representatives indicated that the security risks associated with each of the above practices\nhave been considered and minimized by compensating controls. DIS should, however, have a\ndocumented security plan that addresses lTC\'s consideration of each of the Banyan Vines Network\nsecurity options, identifies controls in place to minimize possible violations, and states the installation\nstandards adopted by ITC.\n\n         OMB plans to implement proposed revisions to OMB Circular A-130, Appendix III, Security\nof Federal Automated Information Systems, in the near future. This proposed revision will replace\nOMB Bulletin 90-08. The proposed revisions require the development of security plans that include\nspecific security controls and periodic review of these controls.\n\n        Recommendations. We recommend that the Director of OIS:\n\na.      Develop a security plan that complies with the requirements of the proposed revisions to\n        OMB Circular A-130, Appendix III, and that addresses lTC\'s consideration of each of the\n        Banyan Vines Network security options, identifies controls in place to minimize possible\n        violations, and states the installation standards adopted by ITC.   \\\n\nb.      Establish a plan for reviewing security controls and assure that it is implemented in accor-\n        dance with the requirements of the proposed revisions to OMB Circular A-130, Appendix ITI.\n\n        Commission Response. DIS stated that it will develop a security plan that conforms to the\ndraft revised guidance in OMB Circular A-130.\n\n5.      Unauthorized Persons Have Access to Backup Tapes\n\n         OIS staff other than the network administrators have access to both daily and weekly backup\ntapes. We noted that several OIS employees other than the network administrators had access to the\ncomputer room and the combination to the containers in which the weekly backup tapes are kept.\nThe daily back-up tapes are kept in the computer room but not locked in containers. This increases\nthe risk that network data, including confidential business data, may be obtained by unauthorized\npersons.\n\n\n\n\n                                                    9\n\x0c        In addition, the backup tapes are not erased or de-gaussed after they are returned from off-site\nstorage. OIS indicated that it backs up data for the current week on old backup tapes. If data for the\ncurrent week are not sufficient to copy over all data on the tape, the old data remain on the tape. In\nthe event the tapes are lost or stolen, ITC may not be able to ascertain the actual data lost.\n\n        OMB Circular A-130, Section 8.a(I)(g), states that agencies shall protect government\ninformation commensurate with the risk and .magnitude of harm that could result from the loss,\nmisuse or unauthorized access to or modification of such information.\n\n        Recommendation. We recommend that the Director of OIS modify its procedures to require\nboth daily and weekly backup tapes to be safeguarded from unauthorized access by other than\nnetwork administrators, and erased or de-gaussed after they are returned from off-site storage.\n\n        Commission Response. OIS stated that it will maintain a lockbox in the computer room for\nthe storage of backup tapes.\n\n         Auditors\'Additional Comments. We continue to think that erasing or de-gaussing the backup\ntapes is necessary to identify compromised data in the event the tapes are lost or stolen.\n\n6.      Procedures for Assuring Compliance with Software Licensing Requirements Are\n        Inadequate\n\n          ITC does not have adequate procedures to assure that it does not violate software copyright\nrestrictions. In response to a prior audit report recommendation, ITC began maintaining an inventory\nlist of software purchased by ITC. This list does not, however, include software installed by\ncomputer vendors and does not indicate the total number of licenses owned by ITC for each software\nprogram, including network software. The list also does not indicate on which computer the software\nis installed and how many licenses are available for other users. Therefore, ITC cannot readily\ndetermine the number of licenses it owns and the number available for other users.\n\n        In addition, ITC does not maintain a record of what software is loaded on each PC and\ncompare this record to its inventory list. Accordingly, ITC cannot readily detect copyright violations.\nNeither OIS nor employees could produce proper licenses for some software installed on PCs.\n\n        U.S. Code, Title 17, Copyrights, states that anyone who violates any of the exclusive rights\nof a copyright owner is an infringer of the copyright and is subject to action taken by the copyright\nowner. ITC Administrative Order 93-01 states that ITC employees are prohibited from violating\ncopyright laws.\n\n        An ITC representative indicated that many software packages are "self-metering," and that\nITC also obtains site licensing to assist in preventing copyright problems. Self-metering only works,\nhowever, on network software. If network software is copied to a PC, the self-metering control will\nnot work. In addition, ITC purchased many stand-alone copies of software programs, which should\nbe monitored" to assure that the licensing agreements are not violated.\n\n\n\n\n                                                  10\n\x0c        Recommendations. We recommend that the Director of 015:\n\na.      Update its software inventory list to ensure that it contains all software for which ITC has a\n        license, including software loaded on computers when purchased.\n\nb.      Sort the inventory list by software program and total the number of licenses for each software\n        program.\n\nc.      Identify all software installed on each computer and assure that ITC or the employee has a\n        valid license for each program.                                       .\n\nd.      Maintain a record of authorized and licensed software on each computer and update this\n        record when authorized software is added or deleted.\n\ne.      Periodically check the software installed on a sample of computers against the most current\n        record of authorized and licensed software for the computer.\n\nf.      Take necessary actions to purchase additional licenses or delete unlicensed software from\n        computers to assure compliance with copyright restrictions.\n\n        Commission Response. OIS stated that it would be extremely expensive to track and\ninventory software on all PCs in the agency and that this is not warranted by any evidence found\nduring the audit or other pattern of abuse in the agency. Agency policy makes each individual\nresponsible for complying with licensing requirements of software installed on his or her computer.\nOIS also stated that it has purchased and is waiting for resources to install a software metering\nprogram for LAN-based software that does not already have a built-in metering system.\n\n        Auditors\' Additional Comments. lTC\'s existing policy is not adequate to determine and\nensure compliance with licensing requirements for software not on the LAN. The use of "auditing"\nsoftware enables a person to determine all software installed on a computer. However, unless OIS\nhas an inventory of all software installed on the computers and all licenses, it cannot determine and\nensure compliance with licensing requirements.\n\n7.      Procedures for Transporting Backup Tapes Are Not Documented\n\n         ITC has a contract with a commercial vendor to store its LAN backup tapes at an offsite\nlocation. The contractor transports the tapes from ITC to its storage facility in Herndon, Virginia.\nITC does not have documented procedures for the contractor or OIS personnel regarding the\ntransporting and releasing of backup tapes to assure the tapes are secure and are not accessible by\nunauthorized persons. Security and control procedures should be documented to assure that they are\nknown by all parties and tested periodically to assure they are followed.\n\n         Based on discussions with the storage contractor, it appears that procedures are in place to\nsafely transport backup tapes between locations. As discussed above, however, OIS should develop\nand document procedures to assure that the contractor only releases backup tapes to representatives\nauthorized by OIS.\n\n\n\n\n                                                  11\n\x0c         GAO Standards/or Internal Controls in the Federal Government, Specific Standard No.1,\nDocumentation, states that internal control systems are to be clearly documented and the documenta-\ntion is to be readily available for examination.\n\n        Recommendation. We recommend that the Director of GIS document the procedures for\ntransporting backup tapes between ITC and the off-site storage facility and procedures for releasing\nbackup tapes to ensure that the tapes are safeguarded from unauthorized use or disposition.\n\n      Commission Response. OIS stated that it has requested the contractor to provide brief\ndocumentation of its standard procedures for handling backup tapes.\n\n        Auditors\' Additional Comments. While it is adequate to have the contractor document its\nstandard procedures for handling backup tapes, we think: OIS should, at a minimum, review the\nprocedures for consistency with its intended policy and supplement them with a list of persons\nauthorized to handle backup tapes.end their authorization levels.\n\n8.      Disaster Recovery Plan Is Not Tested\n\n         ITC issued a disaster recovery plan in March 1993, but has not updated or tested this plan.\nThe plan contains contact names of persons who are no longer ITC employees. In addition, ITC has\nnot tested the plan to ensure that:\n\n        \xe2\x80\xa2       Points of contact and their telephone numbers are current and accu-\n                rate.\n\n        \xe2\x80\xa2       Contact persons are informed about their role and would be readily\n                available in the event of an emergency.\n\n        \xe2\x80\xa2       Hardware and software replacements would be available as required.\n\n        \xe2\x80\xa2       Information about external services is current and accurate.\n\n        In testing the disaster recovery plan, ITC should simulate a disaster and perform the necessary\nsteps to recover, such as preparing a list of parts or equipment needing replacement, contacting\nvendors for availability, recalling backup tapes, and providing interim solutions to LAN users.\n\n        OMB Circular A-130, Appendix III, Section 3.c.(3), Disaster and Continuity Plan, states that\nagencies are to maintain disaster recovery and continuity of operations plans that are fully documented\nand operationally tested periodically at a frequency commensurate with the risk and magnitude of loss\nor harm.\n\n       Recommendation. We recommend that the Director of OIS update and test its disaster\nrecovery plan and establish procedures to periodically update and test the plan in the future.\n\n\n\n\n                                                  12\n\x0c          Commission Response. OIS stated that the disaster recovery plan has already been updated as\n recommended and that it will run a simulation to test the plan. The simulation, however, will be\n limited to checking the validity of phone numbers, etc., due to resource constraints and to avoid\n disruption of agency work.\n\n9.       Titles and Roles of Network Administrators Should Be Clarified\n\n         We noted that various ITC directives and publications used different terms to describe\nnetwork administrators who have access rights to a limited area. For instance, Administrative\nAnnouncement FY 91-40 uses the term Local LAN Administrator, Administrative Announcement FY\n91-19 uses Local LAN Rep, and ITC Directive 1360.1 uses Designated Systems Administrators or\nCoordinators. During our review, it appeared that there was not a clear distinction between persons\nidentified as LAN administrators, who have certain access rights, and LAN representatives who have\nonly user access rights and do not operate in the capacity of a network administrator. This caused\nconfusion for office supervisors and users because it was not clear who they should contact about\nLAN matters or problems.           .\n\n        ITC prepared a Network Administration Standards and Procedures Guide in June 1989, which\nincluded tasks and functions that helped the LAN administrators to manage everyday functioning of\nthe LAN and its users. It set standards for performing specific LAN routines and identified\nprocedures to perform LAN tasks correctly and meet established standards. An OIS representative\nindicated that this document is no longer used and was possibly replaced by the USITC Banyan\nNetwork Users\' Manual. The users\' manual was produced in August 1993, for the purpose of\nproviding a source for end users to better utilize the network resources. It does not include standards\nand guidelines for network administrators.\n\n        GAO Standards/or Internal Controls in the Federal Government, Specific Standard No.1,\nDocumentation, states that internal control systems should be clearly documented and the documenta-\ntion should be readily available for examination.\n\n        Recommendations. We recommend that the Director of OIS:\n\na.      Issue a statement to all LAN users clarifying the titles, and describing the roles and responsi-\n        bilities assigned to each level of LAN administrator.\n\nb.      Reissue a Network Administration Standards and Procedures Guide to all LAN administrators.\n\n        Commission Response. OIS stated that it does not agree that inconsistency in the use of\nterms for Network Administrators in various directives results in confusion or impediment to\nobtaining services or assistance. It stated that it will review and revise the terms for consistency as\nthe documents are modified.\n\n        Auditors\' Additional Comments. During our review, we noted confusion between the terms\nand think that a statement identifying duties and responsibilities will be helpful. In addition, we\ncontinue to believe that OIS should reissue a Network Administration Standards and Procedures Guide\nto all LAN administrators.\n\n\n\n                                                   13\n\x0c10.     Policies Regarding Non-essential Software and Unofficial Computer Use Should Be\n        &tablished\n\n        We determined that ITC does not have policies or guidance regarding the use of computer\nequipment for non-official business or the availability of software that is not essential for an employee\nto perform his or her duties. We could not determine the extent, if any, that employees used\ncomputers for non-official business. We did observe, however, that there were two games on the\nnetwork (in Windows Software) and one game on the C:/ drive of one other computer.\n\n         We did not find any specific Federal guidance prohibiting non-essential software on Govern-\nment computers or the use of Government computers for non-official business. However, the\nproposed revision to OMB Circular A-130, Appendix III, (Federal Register, Volume 60, No. 63,\ndated April 3, 1995) stresses management controls such as individual responsibility and accountability\nrather than technical controls. For instance, an important new requirement for security plans is the\nestablishment of rules of behavior for individual users. These rules should clearly delineate\nresponsibilities and expectations of individuals with access to the system. The rules should cover\nsuch matters as unofficial use of government equipment and the assignment and limitation of system\nprivileges. The proposed revision introduces the concept of "least privilege" which restricts the\nuser\'s access or type of access to the minimum necessary to perform his or her job.\n\n        Recommendation. We recommend that the Director of OIS write proposed policies for\ncommissioner approval regarding the use of Government equipment for non-official business and the\navailability of non-essential software in accordance with the principles of "least privilege."\n\n        Commission Response. OIS stated that it does not agree that ITC does not have policies or\nguidance regarding the use of computer equipment for nonofficial business because it is covered in the\nmandatory annual Federal employee ethics training by the General Counsel. In addition, guidance on\nthe use of agency facilities to access the Internet and for job-search purposes has been recently issued\nby the Chairman. OIS does not regard the use of legal but non-essential software as a problem.\n\n        OIS stated that with respect to its policy approach to controlling access to information on its\ncomputer systems, ITC is in a relatively low-threat environment. Access controls are applied on a\nneed-to-know basis for systems and databases needing protection. For the general LAN systems, OIS\nbelieves that maximum sharing of information results in improved work processes and forming of\nteams across organizational boundaries.\n\n        OIS stated that it will review with the General Counsel and make a recommendation on the\nneed and format for guidance on authorized non-official uses of agency computer facilities. It will be\nalong the lines of the GSA guidance on authorized non-official telephone use and existing agency\nguidance on authorized non-official use of the Internet.\n\n\n\n\n                                                   14\n\x0c                                                                           Appendix\n\n\n\n\n  UNITED STATES INTERNATIONAL TRADE COMMISSION\n  - - - - - - - _ . _ - - - - - ------_._---- . _ - - - - - - - - - -\n\n                             WASHINGTON, DC 20436\n\n\n\n\nDecember 15, 1995\n\nMemorandum\n\n\nTo:             The Inspector General                          \'    -r;   /5\nFrom:          Director, Information Services        AJ.Vi( lAJV~\nSubject:       Agency response to draft LAN Operations audit report\n\n\nThe subject audit concentrated mainly on security ofLAN operations. The results\nofthe review confirmthat the agencyis maintaining an appropriatebalance\nbetween cost, user convenience and security in our network operations.\n\nThe primary goals of our LAN securitypolicies are to avoid economic loss of\nstaffwork product; to avoid compromise of sensitive data; and to discourage\nemployee abuse of software licenses. These goals are based on our assessment of\nthe actualrisks in our computing environment, taking into account the level of\nsensitivity of our data and the likely constraintson partieswith a motive for\ngettingunauthorized access to or destroying data on our systems.\n\nThe audit found no definite or probableinstances of security violations, no\nevidence of significant loss or destruction of data or other work product, and no\nevidence of widespread or intentional violations ofintellectual property (i.e.,\nillegal software use.)\n\nThe specific securityweaknesses identified in the report are mainly cases where\nthere is a lack of documentation or a lack of positive control over relatively minor\nrisk factors. However, the auditors did make severalworthwhile\nrecommendations that we are implementing or will implement as resources\npermit.\n\x0c                                                                                        Page 2\n\n\n Our response to the specific findings is as follows. The Office of Information\n Services (OIS) will complete the actions noted on all issues on or before July 1,\n 1996~\xc2\xb7                               ~\n\n\n 1.      "Security control weaknesses exist regarding use of modems." The\n auditors recommend implementing much more restrictive controls on modem use\n in the agency, and new reports on dial-in access traffic. OIS believes the threat\n from this source is minimal and the cost and inconvenience of the additional\n reports and restrictions are not justified.\n\n Action item: We will implement closer monitoring offailed attempts to log in to\n the network via the non-dial-back facility since we have identified a way of doing -\n this that does not involve extensive administrator time.\n\n  2.      "Unauthorized and fictitious users are not deleted from the network on a\n  timely basis." The "fictitious users" referred to are accounts established for such\n  purposes as network administration, weekend data backup, students using the ITC\n. training room, etc. OIS has a procedure in place that double-checks -that program-\n  office LAN administrators have deleted departing employees from the network.\n  The procedure is not perfect and it does involve a delay of up to 1 month from the\n  time the user stops using the network. However, we believe the threat from\n  departing employees is small, and we have never become aware of an actual or\n  suspected case of compromise or destruction of datafrom this source. The\n  auditors did discover one case where an administrator account was not deleted or\n  deactivated within a few weeks ofthe departure of an OIS employee, but we were\n  able to positively confirm that his account was never used after the employee\'s\n  departure, and the data access available to that account was noncritical.\n\n Action item: We will implement an annual review of fictitious accounts to\n establish the continuing need for each or to delete them.\n\n3.      \'(Procedures for investigating security violations should be strengthened."\nWe believe that the small additional security provided by the measures suggested\nby the auditors would be very greatly outweighed by the additional time and cost\nneeded to \xc2\xabinvestigate and resolve all possible security violations" (including the\nvery common occurrence of a failed login attempt.)\n\nAction item: We will re-establish the procedure of recording the network\nhardware ((token ring") location of unsuccessfullogins.\n\n4.        "Security Plan should be developed and security controls tested."\n\nAction item:     We will develop a security plan that conforms to the draft revised\n\x0c                                                                                     Page 3\n\n\nOMB .guidance in Circular A-130.\n\n5.      "Unauthorized persons have access to backup tapes." Several OIS staff\nmembers other than the network administrators have access to the main computer\nroom as a requirement for performance oftheir duties. They are thus not\n"unauthorized," and are subject to the same legal and policy sanctions as\nadministrators for any possible abuse of their access to ITC computer systems.\nHowever, we do agree that security could be enhanced somewhat at little or no\ncost by maintaining a lockbox in the computer room for the storage of backup\ntapes.\n\nAction item:   We will implement a tape lockbox in the computer room.\n\n6.      "Procedures for assuring compliance with software licensing requirements\nare inadequate." It would be extremely expensive for the agency to attempt to\ntrack and inventory software on all pes in the agency. Nor is this warranted by\nevidence from the audit or otherwise of any pattern ofabuse in the agency.\nAgency policy clearly makes each employee responsible for complying with\nlicensing requirements of software they may install or permit to be installed on\ntheir computers. A reminder ofthis policy was sent to all employees this past\nsummer, along with an offer to make "auditing" software from the Software\nProducts Association available to individuals or managers who want their PCs or\nthose in their units checked. Licenses for LAN-based software are clear enough\nin most cases that no special tracking procedure is needed. For example, we have\nagencywide licenses for e-mail and wordprocessing software. To help us track\nusage for license-compliance purposes where that is necessary because the vendor\ndoes not provide built-in metering we have bought and are waiting for resources\nto be available to install a software metering program.                      .\n\nAction item: We will implement software metering for LAN-based software as\nneeded and feasible.\n\n7.     "Procedures for transporting backup tapes are not documented."\n\nAction Item: We have asked the contractor to provide brief documentation of\ntheir standard procedures for handling tapes.\n\n8.     "Disaster recovery plan is not tested."\n\nAction item: The ITC Disaster Recovery Plan has already been updated as\nrecommended. We will run a simulation to test the plan. (However, we will limit\nthe simulation to checking the validity of phone numbers, etc. in view of resource\nconstraints and to avoid disruption of agency work.)\n\x0c                                                                                       Page 4\n\n\n9.     "Titles and roles of network administrators should be clarified." We do\nnot agree that inconsistency in use ofthe terms "Local LAN Administrator" and\n"Local LAN Representative" in various directives results in significant confusion\n(of agency staff) or impediment to obtaining services or assistance.\n\nAction item: We will review the use ofthe terms "LAN administrator" and\n"LAN Representative" in agency guidance publications and revise them for\nconsistency as the documents are modified.\n\n 10.    "Policies regarding non-essential computer use should be established."\nWe disagree that "the ITC does not have policies or guidance regarding the use of\ncomputer equipment for nonofficial business. . ." This is very adequately covered\nin the mandatory annual Federal employee ethics training given to every\nemployee by the General Counsel. Guidance on specific issues related to use of\nagency facilities for accessing the Internet have been issued recently, and\nguidance and specific authorization to use agency computer facilities for job-\nsearch purposes during the RIF period has also been issued by the Chairman.\n\nWe do not .regard use oflegal but "non-essential" software as a problem. Such\nproducts might include screen savers, personal information managers (like a\nRolodex, but electronic) and other "personal productivity" software that may be\nin the public domain or may be owned by employees.\n\nWith respect to our policy approach to controlling access to information on our\ncomputer systems, we start from the fact that we are in a relatively low-threat\nenvironment, so that measures designed for defense, intelligence or financial\nsystems are inappropriate. Where we do have systems or databases that need\nprotection, like confidential Dockets submissions, we apply access controls on a\nneed-to-know basis. However, for our general LAN systems we believe that\nmaximum sharing of information encourages the creative and entrepreneurial\nefforts of staff to use all available tools to improve their work processes and form\nteams across organizational boundaries.\n\nAction item: OIS will review with the General Counsel and make a\nrecommendation on the need for and appropriate format for guidance on\nauthorized non-official uses of agency computer facilities, along the lines of the\nGSA guidance on authorized non-official telephone use and the existing agency\nguidance on authorized non-official uses of the Internet.\n\x0c                                                               PageS\n\n\n\n\nChairman\'s approval of agency response to draft audit report\n\n\n                                         Date:   r- If - $ C\n                                                 I\n\x0c'